Allow updating password via EPP

app/controllers/epp/sessions_controller.rb

@@ -19,6 +19,12 @@ class Epp::SessionsController < EppController
     end
 
     if @api_user.try(:active) && cert_valid
+      if parsed_frame.css('newPW').first
+        unless @api_user.update(password: parsed_frame.css('newPW').first.text)
+          handle_errors(@api_user) and return
+        end
+      end
+
       epp_session[:api_user_id] = @api_user.id
       render_epp_response('login_success')
     else
@@ -42,4 +48,8 @@ class Epp::SessionsController < EppController
     ph = params_hash['epp']['command']['login']
     { username: ph[:clID], password: ph[:pw] }
   end
+
+  def parsed_frame
+    @parsed_frame ||= Nokogiri::XML(request.params[:raw_frame]).remove_namespaces!
+  end
 end

app/models/api_user.rb

@@ -2,6 +2,15 @@ require 'open3'
 
 # rubocop: disable Metrics/ClassLength
 class ApiUser < User
+  include EppErrors
+  def epp_code_map # rubocop:disable Metrics/MethodLength
+    {
+      '2306' => [ # Parameter policy error
+        [:password, :blank]
+      ]
+    }
+  end
+
   # TODO: should have max request limit per day
   belongs_to :registrar
   has_many :contacts

app/views/registrar/sessions/login_mid.haml

@@ -9,6 +9,10 @@
     = f.text_field :phone, class: 'form-control', placeholder: t('phone_no'), autocomplete: 'off'
     %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t('log_in')
 
+- if ['development', 'alpha'].include?(Rails.env)
+  %div.text-center
+    60000007 / 00000766
+
 :coffee
   $('.js-login').attr('disabled', false)